Linux systemd reload or start rule (T1501)

rules/linux/lnx_pers_systemd_reload.yml

@@ -0,0 +1,24 @@
+title: Systemd service reload or start
+description: Detects a reload or a start of a service
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1501
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+detection:
+    selection1:
+        - 'systemctl'
+    selection2:
+        - 'daemon-reload'
+        - 'start'
+    # systemctl AND (daemon-reload OR start)
+    condition: selection1 and selection2
+falsepositives:
+    - Installation of legitimate service
+level: low
+references:
+    - https://attack.mitre.org/techniques/T1501/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml